Hi Isaque! You could try a detector with source.ip as the partition field, and source.ip as well as destination.ip as influencers like so:
This will create separate time series for each source.ip in your environment and generate anomalies when a large number of bytes are sent from a particular source.ip, compared to its baseline. The influencers should tell you the destination.ip they were sent to.